Encryption device a decrypting device a secret key generation device a copyright protection system and a cipher communication device

ABSTRACT

An encryption device, a decrypting device, a secret key generation device, a copyright protection system and a cipher communication device including: a CRL memory unit memorizing a CRL, a device key ring memory unit memorizing a specific device key KD_A in every IC card used in a decrypting device, a content key memory unit memorizing a content key Kc, which is a secret key for decrypting content, and a hashing function processing unit calculating a hashing value of the CRL memorized in the CRL memory unit. The devices further including an Ex-OR unit carrying out an exclusive OR between the hashing value and the device key KD_A memorized in the device key ring memory unit, and an Enc unit encrypting the content key Kc memorized in the content key memory unit using an output value of an Ex-OR unit.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an encryption device and a decryptingdevice for protecting copyrights when transmitting digital productionsvia a recording medium or a transmission medium. More specifically, thepresent invention relates to a protection technique that is to protectagainst an attack enacted by is a replacement of a CertificateRevocation List (CRL) specifying a revoked public key certificate.

2. Description of the Related Art

When a digital production is transmitted from a (first) device toanother (second) device, prior to the transmission, a computerauthentication is conducted to avoid a copyright infringement by anauthorized obtainment. The first computer is to authenticate the secondcomputer. In other words, the first computer makes sure that the secondcomputer is a qualified computer to transmit.

For example, a first computer sends a random number to a secondcomputer, then the second computer encrypts the random number with itsown secret key (i.e., digital signature) and transmits it to the firstcomputer. Finally, the first computer verifies the transmitted encryptedtext (or the digital signature) using the second computer's public key.

However, the authentication using the public key encryption should bebased on the condition that the public key itself is not revoked.

Therefore, in recent years, a “public key certificate” for proving thata public key is a qualified key for each user, is issued from anorganization or a company called “certificate authority” (CA). Amongthose issued public key certificates, there are certificates for theusers who have a secret key that is expired or stolen, or that have donesomething illegal. For nullifying those certificates (or notifying otherusers that those certificates are nullified), a Certificate RevocationList (hereinafter referred to as a “CRL”, a “public key certificaterevocation list” or an “revocation list”), an information list forspecifying the revoked public key certificate is issued.

Accordingly, when authenticating a communication partner with thepartner's public key, a public key certificate is obtained from thecommunication partner, and upon confirmed that the obtained public keycertificate is not listed on the CRL, and then the above-mentionedauthentication processing is executed so as to avoid transmitting avaluable digital production to an unauthorized communication partner.

There are devices and systems (refer to Japanese patent NO. 3199119) inwhich key checking is conducted with only referring to the public keycertificate, however, such devices and systems cannot cover when thereare certificates for the users who have a secret key that is expired orstolen, or have done something illegal, as stated above.

However, it is not possible for every computer to obtain the qualifiedCRL and check the validity of the public key certificate of thecommunication partner. As a result, unauthorized use is conducted.

For example, a device, such as a DVD drive device which plays back a DVD(digital Video/Versatile Disc), on which digital works (i.e., movies)are recorded, obtains the qualified CRL via a DVD and reads out thelatest CRL from the DVD, and then authenticates the communicationpartner computer (a computer that operates an integrated playbackprocessing circuit or playback software) with reference to the CRL. Inthe process of reading out the CRL, there is a possibility that the CRLcould be replaced with the old one.

As a result, although a computer is listed on the qualified (i.e., thelatest) CRL as a revoked computer, it may be possible for the revokedcomputer to be transmitted a digital production illegally with a revokedpublic key that is not listed on the replaced old CRL yet.

Also, when a computer which has already held a CRL obtains a new CRL, itis necessary to compare the two lists to figure out which is the latest,then holds only the latest one, that is, it is necessary to verifyaccurately which lists should be held.

Accordingly, the first object of the present invention is, in the lightof the above-mentioned problem, to provide an encryption device, adecrypting device, a secret key generation device, a copyrightprotection system and a cipher communication device that can defend froman attack enacted by a replacement of a CRL, and as a result, transmit adigital production safely.

And the second object of the present invention is to provide a ciphercommunication device that can specify the latest CRL accurately when anew CRL is obtained, and hold only the latest list in place of the oldone.

BRIEF SUMMARY OF THE INVENTION

In order to achieve the above first object, an encryption deviceaccording to the present invention is an encryption device that encryptsand outputs the digital production to a recording medium or atransmission medium, and comprises of a digital production memory unitoperable to memorize a digital production, a first secret key memoryunit operable to memorize a first secret key which is used for theencryption of the digital production, a second secret key memory unitoperable to memorize a second secret key corresponding to a decryptingdevice that decrypts an encrypted digital production, a CRL memory unitoperable to memorize a CRL which is an information list that specifies arevoked public key certificate, an attribute value calculating unitoperable to calculate an attribute value dependent on details of a CRLbased on the CRL memorized in the CRL memory unit, a transforming unitoperable to transform the second secret key memorized in the secondsecret key memory unit with the attribute value calculated in theattribute value calculating unit, a first encryption unit operable toencrypt the first secret key memorized in the first secret key memoryunit with the second secret key which is transformed by the transformingunit, a second encryption unit operable to encrypt the digitalproduction memorized in the digital production memory unit with thefirst secret key memorized in the first secret key memory unit and anoutputting unit operable to output the CRL memorized in the CRL memoryunit, the first secret key encrypted by the first encryption unit andthe digital production encrypted by the second encryption unit to therecording medium or the transmission medium.

As a result, the encrypted digital production, the encrypted firstsecret key which is used for encrypting the digital production, and theCRL are outputted from the encryption device. The encrypted first secretkey is not encrypted only with the second secret key which correspondsto the decrypting device, but also with the second secret key on whichthe details of the CRL have been reflected. Accordingly, when the CRL isreplaced, the details of the CRL received by the decrypting device aredifferent from the list reflected on the second secret key held in thedecrypting device itself, that is, the second secret key is transformed.As a result, the decrypting device which received the encrypted digitalproduction, the encrypted first secret key and the CRL cannot decryptthe encrypted first secret key to the original first secret key usingthe second secret key transformed as such. Therefore, the decryptingdevice cannot decrypt the encrypted digital production right. As aresult, the safe transmission of the digital production, having adefending function against an attack enacted by a replacement of theCRL, is realized.

Also, the encryption device mentioned above, may further include aconfirmation data outputting unit operable to output a confirmation datawhich is to be a criterion for confirming whether or not the firstsecret key decrypted by the decrypting device is a right key. Forexample, the confirmation data outputting unit outputs a data obtainedby encrypting the predetermined fixed-pattern data with the first secretkey memorized in the first secret key memory unit as a confirmation datato the recording medium or the transmission medium or the confirmationdata outputting unit outputs a data obtained by encrypting the firstsecret key memorized in the first secret key memory unit with the firstsecret key as a confirmation data to the recording medium or thetransmission medium.

As a result, the decrypting device which received the encrypted digitalproduction outputted from the encryption device, the encrypted firstsecret key, and the CRL can verify whether or not the CRL has beenreplaced, that is, whether the first secret key is decrypted rightly ornot, so as to avoid useless processing of decrypting the digitalproduction with a wrong key.

Also, an encryption device is an encryption device that encrypts andoutputs the digital production to a recording medium or a transmissionmedium, and comprises a digital production memory unit operable tomemorize the digital production, a first secret key memory unit operableto memorize a first secret key which is used for the encryption of thedigital production, a second secret key memory unit operable to memorizea second secret key corresponding to a decrypting device that decryptsan encrypted digital production, a CRL memory unit operable to memorizea CRL which is an information list that specifies a revoked public keycertificate, a first encryption unit operable to encrypt the firstsecret key memorized in the first secret key memory unit with the secondsecret key which is memorized in the second secret key memory unit, anattribute value calculating unit operable to calculate an attributevalue dependent on details of a CRL based on the CRL memorized in theCRL memory unit, a transforming unit operable to transform the firstsecret key memorized in the first secret key memory unit with theattribute value calculated in the attribute value calculating unit, asecond encryption unit operable to encrypt the digital productionmemorized in the digital production memory unit with the first secretkey transformed by the transforming unit and an outputting unit operableto output the CRL memorized in the CRL memory unit, the first secret keyencrypted by the first encryption unit and the digital productionencrypted by the second encryption unit to the recording medium or thetransmission medium.

As a result, the encrypted digital production, the encrypted firstsecret key which is used for encrypting the digital production, and theCRL are outputted from the encryption device. The encrypted digitalproduction is not encrypted only with the first secret key but also withthe first secret key on which the details of the CRL has been reflected.Accordingly, when the CRL is replaced, the details of the CRL receivedby the decrypting device are different from the list reflected on thefirst secret key held in the decrypting device itself, that is, thefirst secret key is transformed. As a result, the decrypting devicewhich received the encrypted digital production, the encrypted firstsecret key and the CRL cannot decrypt the encrypted digital productionrightly using the first secret key transformed as such. As a result, thesafe transmission of the digital production, having a defending functionagainst an attack enacted by a replacement of the CRL, is realized.

Also, as mentioned above, it is possible for the decrypting device,which received the encrypted digital production outputted from theencryption device, the encrypted first secret key and the CRL, to judgewhether or not the CRL is replaced, that is, whether the secret key usedfor the encryption of the digital production is rightly decrypted or notby outputting a first secret key with an attachment of a confirmationdata of a CRL, on which the first secret key has been reflected, fromthe encryption device, so as to avoid an useless processing ofdecrypting the digital production with a wrong key.

In order to achieve the above second object, a cipher communicationdevice according to the present invention is a cipher communicationdevice that establishes a cipher communication with a partner deviceusing a public key of the partner device, and comprises of a memory unitoperable to memorize a CRL, which is an information list for specifyinga revoked public key certificate, an obtaining unit operable to obtain anew CRL, a storage unit operable to compare a size of an obtained CRLand the CRL memorized in the memory unit, and when the obtained CRL islarger in size, memorizes the obtained CRL to the memory unit andupdates, and a communication unit operable to judge a key validity of apartner device with referring to the CRL memorized in the memory unit,and when the public key is not revoked, establishes a ciphercommunication with the partner device using the public key.

It may be possible for the above function of the storage unit to changeto compare the number of the certificate that is listed on the obtainedCRL with the number of the certificate that is listed on the CRLmemorized in the above memory unit, and when the certificate, listed onthe obtained CRL, is large in number, memorizes it to the above memoryunit and updates.

As a result, since the number of the public key certificate listed onthe CRL is increased as the time goes by, the cipher communicationdevice can always hold a CRL that is large in size (or large inregistration number), that is, a latest list.

The present invention, as stated above, realizes the digital productionto be transmitted safely, against an attack of a replacement of the CRL.The practical value for the present invention is extremely high in termsof delivering/distributing of the digital production via a transmissionline such as Internet or a recording medium such as DVD, which is activein these days.

The present invention can be realized as a decrypting device whichcorresponds to the above encryption device or a secret key generationdevice, realized as a copyright protection system including theencryption device and the decrypting device, realized as an encryptionmethod with steps of the characteristic unit that is comprised of theencryption device, the decrypting method or the cipher communicationmethod, or realized as a program for having the computers to executeabove steps. In addition, needless to say, the program according to thepresent invention can be marketed via a recording medium such as a DVDor a transmission medium such as Internet.

BRIEF DESCRIPTION OF DRAWINGS

These and other objects, advantages and features of the invention willbecome apparent from the following description thereof taken inconjunction with the accompanying drawings that illustrate a specificembodiment of the invention. In the Drawings:

FIG. 1 is a functional block diagram that shows an overall configurationof the recording copyright medium protection system 1 a according to thefirst embodiment.

FIG. 2 is a diagram that shows a constructional example of the CRL.

FIG. 3 is a diagram that shows a constructional example of the publickey certificate for the copyright protection licensor.

FIG. 4 is a diagram that shows a constructional example of the publickey certificate for the manufacturer of the player.

FIG. 5 is a diagram that shows the sequence of the processing conductedbetween the IC card 210 a in the decrypting device 200 a and thedescrambler 260.

FIG. 6 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 b according to thesecond embodiment.

FIG. 7 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 c according to thethird embodiment.

FIG. 8 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 d according to theforth embodiment.

FIG. 9 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 e according to thefifth embodiment.

FIG. 10 is a functional block diagram that shows an overallconfiguration of the recording medium copyright protection systemaccording to the sixth embodiment.

FIG. 11A is a flow chart that shows the verification processingconducted in the latest edition detecting processing unit 2391 in FIG.10.

FIG. 11B is a flow chart that shows the latest edition list reading-outprocessing.

FIG. 12 is an external view of the HD-DVD player for which thedecrypting devices 200 a to 200 f for the recording medium according tothe first and the second embodiments are applied.

FIG. 13 is a functional block diagram that shows an overallconfiguration of the recording medium copyright protection system 1 gaccording to the seventh embodiment.

FIG. 14 is a functional block diagram that shows an overallconfiguration of the recording medium copyright protection system 1 haccording to the eighth embodiment.

FIG. 15 is a functional block diagram that shows an overallconfiguration of the recording medium copyright protection system 1 iaccording to the ninth embodiment.

FIG. 16 is a diagram that shows an example of the copyright protectionmodule which includes LSI.

FIG. 17 is a block diagram that shows an overall configuration copyrightprotection system which establishes a cipher communication of thecontents via small-scale home LAN.

FIG. 18 is a block diagram that shows a construction of the AV server100 j and the plasma TV 200 k of FIG. 17.

DETAILED DESCRIPTION OF THE INVENTION

The following is an explanation of the copyright protection systemaccording to the embodiments of the present invention with reference tofigures.

The First Embodiment

FIG. 1 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 a according to thefirst embodiment.

A recording medium copyright protection system 1 a is a system thatrecords a content encrypted on a DVD 2 a as a recording medium, or readsout the encrypted content from the DVD 2 a and decrypts it. The systemincludes an encryption device 100 a that memorizes a content encryptedon the DVD 2 a, a decrypting device 200 a that reads out the encryptedcontent from the DVD 2 a and decrypts it, and a terminal device 300 thatis used by a Certificate Authority (CA) issuing a CRL, etc.

The encryption device 100 a comprises two terminal devices, the terminaldevice 110 a that the copyright protection licensor uses and a terminaldevice 160 that a content manufacturer uses.

The decrypting device 200 a, for example, is an HD-DVD player with theability to reproduce a content of a picture level HD (1125i/750p), andincludes an IC card 210 a supplied by a copyright protection licensor, adescrambler 260 for the player manufacturer and a DVD-ROM drive (notshown in the Figure) which reads out the encrypted content from the DVD2 a.

The terminal device 110 a that the copyright protection licensor uses isa computer device that provides information for the decrypting device200 a to have a copyright protection, that is, to provide a CRL, acontent key for decrypting the content, and an encrypted content keyring. It comprises a CRL memory unit 111, is a device key ring memoryunit 112, a content key memory unit 113, a hashing function processingunit 114, an Ex-OR unit 115 and an Enc unit 116.

The CRL memory unit 111 accesses the terminal device 300 regularly via acommunication network, i.e., Internet, etc, and updates/memorizes alatest CRL that the Certificate Authority (CA) provides. The CRL, asshown in FIG. 2, includes a “file header” field, a “general” field and a“revoked list” field. In the area of the “file header”, a “name” of thefile ◯Δ□Δ.cr1, a “size” of the file 79 KB, a “type” of the file revokedcertificate list and an “update” of the file 2001/09/07/12:34 areincluded. Also, in the area of the “general” field, a “version” V1,“publisher” ◯Δ□Δ, “validity start date” 2001/09/06, a “next update duedate” 2001/09/16 and a “signature algorithm” md5RSA are included. Also,in the area of the “revoked list”, record of a “serial number” for arevoked certificate and a “revoked date” are described in a text form.Since the CRL gives a monotone increase as the time goes by, the newerthe CRL is, the larger the number of available entries (registrationunits for the CRL) within the CRL identifying revoked certificate serialnumbers. It has a characteristic that the size of the file increasesmonotonously.

The device key ring memory unit 112 memorizes a device key ring KD_A(i.e. 128 bit) that is specific to every IC card 210 a supplied by thecopyright protection licensor, in advance.

The content key memory unit 113 memorizes a content key Kc (i.e. 128bit), which is a secret key for encrypting a predetermined content, forexample, music or movie.

The hashing function processing unit 114 is a processing unit thatcompresses a variable length of the CRL data memorized in the CRL memoryunit 111, and converts it to a fixed length (i.e. 128 bit) data (hashingvalue Hash) based on a hashing function. It converts based on a SHA-1(Secure Hash Algorithm-1) or MD5, for example.

In the Ex-OR unit 115, an exclusive OR between the hashing value Hashcalculated in the hashing function processing unit 114 and each devicekey KD_A memorized in the device key ring memory unit 112 is carried out(the each device key KD_A is transformed with the hashing value).

The Enc unit 116 outputs the content key Kc memorized in the content keymemory unit 113 to the Ex-OR unit 115, that is, encrypts with anexclusive OR between the hashing value Hash and the each device key KD_Aand generates an encryption content key ring.

Additionally, the hashing function processing unit 114 and the Ex-ORunit 115 in the terminal device 110 a transforms the device key KD_Ausing the CRL memorized in the CRL memory unit 111. This is because byencrypting the content key Kc with the transformed device key KD_A, itenables a relationship between the encrypted content key outputted fromthe Enc unit 116 and the CRL. By doing so, it is defaceable from anattack enacted by replacing a CRL at the time of the decryptingprocessing in a decrypting device 200 a, as described later.

The terminal device 160, used by the content manufacturer, is a writedevice that records a CRL, which is passed from the terminal device 110a, or the encrypted content key ring, to the DVD 2 a. The terminaldevice 160 includes a content memory unit 161 and an Enc unit 162.

The content memory unit 161 memorizes a predetermined content, forexample, music or movie content.

The Enc unit 162 encrypts a content memorized in the content memory unit161 with a content key Kc passed from the terminal device 110 a andgenerates an encrypted content.

As stated above, when the DVD 2 a is manufactured in the encryptiondevice 100 a which includes two terminal devices 110 a and 160, theterminal device 110 a reads out the CRL from the CRL memory unit 111.The read out CRL is passed to the hashing function processing unit 114and the terminal device 160. The hashing function processing unit 114calculates the hashing value Hash of the CRL and passes it to the Ex-ORunit 115. The Ex-OR unit 115 reads out the device key KD_A, the contentkey Kc, etc., one by one from the device key ring memory unit 112 andcalculates the exclusive OR with the hashing value Hash right after theother, then outputs each exclusive OR value to the Enc unit 116. Theterminal device 110 a reads out the content key Kc from the content keymemory unit 113 and passes it to the Enc unit 116 and the terminaldevice 160. The Enc unit 116 encrypts the passed content key Kc witheach exclusive ORs outputted from the Ex-OR unit 115. More specifically,the Enc unit 116 encrypts the content key Kc with an exclusive ORbetween each value of the device key KD_A and the hashing value Hash. Asa result, the Enc unit 116 generates a plurality of the encryptedcontent keys and passes them in a bunch to the terminal device 160.

The terminal device 160 writes the CRL passed from the terminal device110 a and the encrypted content key ring to the DVD 2 a. And then theencrypted content generated by the Enc unit 162 writes to the DVD 2 a.The DVD 2 a, generated as such, is sold to users with the encryptedcontent in a condition that the encrypted content key in a bunch and thelatest CRL in a bind.

On the other hand, an IC card 210 a of the decrypting device 200 a,which decrypts such DVD 2 a, is comprised of a module (TRM: TamperResistance Module) that is used for preventing the computer program fromits deliberate change and protecting a copyright by eliminating anillegal descrambler which is listed on the CRL. In other words, the ICcard 210 a includes a content key decrypting unit 220 a which obtains akey for decrypting the encrypted content based on the CRL bound to theDVD 2 a and an authentication processing unit 230 a that checks whethera communication partner (descrambler 260) is revoked or not, and at thesame time, sets a SAC (Secure Authentication Channel) between thedescrambler 260 with bilateral authentication form.

The authentication processing unit 230 a includes a public key memoryunit for the certificate authority (CA) 231, a secret key for the ICcard memory unit 232, a public key certificate memory unit for the ICcard (the copyright licensor) 233, a random number generation unit 234,a CRL checking unit 235, an elliptic curve cryptography (ECC) processingunit 236, an authentication unit 237 and a buffer memory 238.

The public key memory unit for the certificate authority (CA) 231memorizes a public key for authority PK_CA used for decrypting a digitalsignature of the Certificate Authority (CA) in advance.

The secret key memory unit for the IC card 232 memorizes a secret keySK_A for the IC card that is specific to an IC card used for own digitalsignature by the IC card 210 a supplied by the copyright protectionlicensor in advance.

The public key certificate memory unit for the IC card 233 memorizes apublic key certificate for an IC card Cert_A which is a document thatthe Certificate Authority (CA) was to prove that the public key PK_Abelongs to the IC card 210 a. The public key certificate for the IC cardCert_A, as shown in FIG. 3, includes an ID for the IC card 210 a(copyright protection licensor), a public key for the IC card for asecret key for IC card SK_A, a CA's signature for the public key for theIC card PK_A, an expiry date (for the certificate), and thereof.

The random number generation unit 234 generates a random number (i.e.,128 bit) as a time modulation value.

The CRL checking unit 235 checks whether or not the CRL includes thepartner's (descrambler 260) ID.

The Elliptic Curve Cryptography (ECC) processing unit 236 executes anencryption processing (i.e., 256 bit processing unit) is based on theelliptical curve when the authentication of the SAC is set.

The authentication unit 237 is a communication interface thatcommunicates with the descrambler 260 via the SAC.

The buffer memory 238 holds temporary data such as a random numbergenerated from the random number generation unit 234 or data that theElliptic Curve Cryptography (ECC) processing unit 236 generates.

The content key decrypting unit 220 includes a device key memory unit221, a hashing function processing unit 222, an Ex-OR unit 223 and a Decprocessing unit 224.

The device key memory unit 221 memorizes a specific device key KD_A (itis a secret key, i.e., AES128 bit key) into the IC card 210 a.

The hashing function processing unit 222 is the same construction withthe hashing function processing unit 114 of the terminal device 110 aand calculates a hashing value Hash (i.e., 128 bit) of the CRL bound tothe DVD 2 a.

The Ex-OR unit 223 calculates an exclusive OR between a hashing valueHash calculated in the hashing function processing unit 222 and eachdevice key KD_A memorized in the device key memory unit 221 (transformsthe each device key KD_A with the hashing value).

The Dec processing unit 224 generates a content key Kc by decrypting itsown encrypted content key memorized in a predetermined place inside theencrypted content key ring bound to DVD 2 a with an exclusive OR valuebetween the device key KD_A and the hashing value Hash.

The descrambler 260, the same construction with the IC card 210 a, isconfigured with a module used for preventing an illegal tamper of thecomputer program, which includes an authentication processing unit 270for checking whether or not a communication partner (IC card 210 a) isrevoked with the CRL, and for setting a SAC between the IC card 210 a ina bilateral authentication form, and a Dec processing unit 280 fordecrypting an encrypted content read out from the DVD 2 a with a contentkey passed from the IC card 210 a and for obtaining a content.

The authentication processing unit 270 comprises a public key memoryunit for the certificate authority (CA) 271, a secret key memory unitfor the descrambler 272, a public key certificate memory unit for thedescrambler (player manufacturer) 273, an random number generation unit274, a CRL checking unit 275, an Elliptic Curve Cryptography (ECC)processing unit 276, an authentication unit 277 and a buffer memory 278.

The public key memory unit for the certificate authority (CA) 271memorizes the public key for the certificate authority (CA) of thecertificate authority (CA) PK_CA in advance.

The secret key memory unit for the descrambler 272 is supplied by theHD-DVD player 200 manufacturer and memorizes a specific secret key forthe descrambler SK_i which is used for an own signature for thedescrambler 260.

The public key certificate memory unit for the descrambler 273 memorizesa public key certificate for the descrambler Cert_i which is a documentthat the certificate authority (CA) proves that the public key PK_ibelongs to the player manufacturer. The certificate descrambler Cert_i,as shown in FIG. 4, includes an ID (serial numbers for a certificate) ofthe descrambler 260 (the player manufacturer), a public key for thedescrambler PK_i for a secret key for the descrambler SK_i, a digitalsignature of the certificate authority (CA) for the secret key for thedescrambler PK_i and an expiry date (for the certificate).

The random number generation unit 274 generates a random number (i.e.,128 bit) as a time modulation.

The CRL checking unit 275 checks whether or not a partner (IC card 210a) ID number is included in the CRL.

The Elliptical Curve Cryptography (ECC) processing unit 276 executes anencryption processing (i.e., 256 bit processing unit) based on theelliptical curve when an authentication of the SAC is set.

The authentication unit 277 is a communication interface whichcommunicates with the IC card 210 a via the SAC.

The buffer memory 278 holds temporary data such as a random numbergenerated from the random number generation unit 234 or data that theElliptical Curve Cryptography (ECC) processing unit 276 generated.

Reference is now made to FIG. 5, which illustrates a SAC setting betweenthe IC card 210 a and the descrambler 260, and a sequence of adecrypting for the encrypted content recorded on the DVD 2 a. FIG. 5 isa diagram that shows the sequence of the processing conducted betweenthe IC card 210 a in the decrypting device 200 a and the descrambler260.

When a user instructs to playback the content of the DVD 2 a, the randomnumber generation unit 274 of the descrambler 260 generates a firstrandom number y (i.e., 128 bit) and memorizes it to the buffer memory278 (S1). The authentication unit 277 of the descrambler 260 reads outthe first random number y memorized in the buffer memory 278 and apublic key certificate for the descrambler Cert_i memorized in thepublic key certificate memory unit for the descrambler 273, and thensends them to the IC card 210 a (S2).

The authentication unit 237 in the IC card 210 a stores the first randomnumber y received from the descrambler 260 and the public keycertificate for the descrambler Cert_i in the buffer memory 238. The CRLchecking unit 235 checks whether or not the descrambler 260 is revokedbased on the CRL passed from the HD-DVD player 200 a (S3). Morespecifically, the checking is conducted based on whether or not the factthat the ID for the descrambler 260 is listed on the CRL. When thedescrambler 260 is not revoked, the authentication unit 237 verifies thepublic key certificate Cert_i with the public key of the certificateauthority (CA) PK_CA (S4). More specifically, the digital signature ofthe public key authority included in the public key certificate for thedescrambler Cert_i is decrypted with the public key of the certificateauthority (CA) PK_CA, and a verification, of whether the public keycertificate for the descrambler Cert_i is sure to belong to thedescrambler 260, is conducted. After the verification, the random numbergeneration unit 234 generates the first random number x (i.e. 128 bit)and stores it to the buffer memory unit 238 (S5). The authenticationunit 237 reads out the first random number x memorized in the buffermemory 238 and the public key certificate for the IC card Cert_Amemorized in the public key certificate memory unit for the IC card 233,and send them to the descramble 260 (S6).

In the descrambler 260, after memorizing the first random number xreceived from the IC card 210 a and the public key certificate for theIC card Cert_A to the buffer memory 278, the CRL checking unit 275checks whether or not the IC card 210 a is revoked based on the CRLpassed from a HD-DVD player 200 a (S7). In other words, the checking ismade by judging whether or not an ID of the IC card 210 a is listed onthe CRL. When it isn't revoked, the authentication unit 277 verifies thepublic key certificate for the IC card Cert_A with the public key of thecertificate authority (CA) PK_CA (S8). In other words, theauthentication unit 277 decrypts the digital signature of the public keyauthority included in the key public certificate for the IC card Cert_Aand the verification, of whether or not the public key certificate forthe IC card Cert_A is sure to belong to the IC card 210 a, is conducted.After the verification, the random number generation unit 274 generatesthe second random number y′ (i.e. 128 bit), and memorizes it to thebuffer memory 278 (S9). The Elliptical Curve Cryptography (ECC)processing unit 276 multiplies the second random number y′ and a basepoint G (constants) on an elliptic curve, thus, generates an y′G. Thenthe y′G is memorized in the buffer memory 278 (S10). Next, theauthentication unit 277 generates a digital signature S1:=Sig (SK_i,y′G∥x) that corresponds to the multiplication of y′G and memorizes thedigital signature S1 to the buffer memory 278 (Sll). This digitalsignature is put by signing the secret key SK_i into a bit connection ofthe multiplication of y′G and the first random x. The symbol “∥” standsfor a bit connection, which is, indicating the y′G and the random numberx are connected to the digit direction resulted in 256 bits (i.e., y′Gto be upper 128 bits, and random x to be lower 128 bits). After thememorizing of the digital signature S1 is finished, the authenticationunit 277 sends the multiplication of the y′G and the digital signatureS1, which corresponds to the multiplication of the y′G, to the IC card210 a (S12).

The authentication unit 237 in the IC card 210 stores a y′G and adigital signature S1, which corresponds to y′G, to the buffer memory238, and after that, verifies whether or not the digital signature S1 isthe digital signature of the descrambler 260 that corresponds to they′G∥x using the public key for the descrambler PK_i obtained from thepublic key certificate for the descrambler Cert_i(S13). In other words,the verification is conducted by decrypting the digital signature S1using the public key for the descrambler PK_i, and separates a bitconnection between the y′G and the random number x. This enablesconfirmation that the communication partner (descrambler 260) is not anillegal partner.

After the verifications mentioned above, the random number generationunit 234 in the IC card 210 a generates a second random number x′ andmemorizes it to the buffer memory unit 238 (S14). The Elliptical CurveCryptography (ECC) processing unit 236 multiplies the second randomnumber x′ and a base point G (constants) on an elliptic curve and thusgenerates a x′G. Then the x′G is memorized in the buffer memory 238(S15). Next, the authentication unit 237 generates a digital signatureS0:=Sig (SK_A, x′G∥y), which corresponds to the multiplication of thex′G, and memorizes the digital signature S0 to the buffer memory 238(S16). This digital signature is put, by signing the secret key SK_A,into a bit connection of the multiplication of x′G and the first randomnumber y. After the memorization of the digital signature, theauthentication unit 237 sends the multiplication of the x′G and thedigital signature S0 to the descrambler 260 (S17).

The authentication unit 277 in the descrambler 260 memorizes themultiplication of the x′G received from the IC card 210 a and thedigital signature S0 to the buffer memory 278. After that, theauthentication unit 277 verifies whether the digital signature S0 is thedigital signature of the descrambler 260, which corresponds to thex′G∥y, using the public key for the descrambler PK_A obtained from thepublic key certificate for the descrambler Cert_A (S18). In other words,the verification is conducted by decrypting the digital signature S1using the public key for the descrambler PK_i, and separates a bitconnection between the y′G and the random number x. This enablesconfirmation that the communication partner (descrambler 260) is not anunauthorized user.

After the authentication unit 277 in the descrambler verifies that theIC card 210 a is not revoked, nor wire tapped, calculates K′=y′ (x′G) bymultiplying the second random number y′ (i.e., 128 bit) generated in aself side which is memorized in the buffer memory 278 and the result ofthe multiplication of x′G obtained from the communication partner, andmemorizes the result K′ as a session key in the buffer memory 278 (S19).

On the other hand, after the authentication unit 237 in the IC is card210 a verifies that the descrambler 260 is not revoked, nor wire tapped,calculates K′=x′ (y′G) by multiplying the second random number x′ (i.e.,128 bit) generated in a self side which is memorized in the buffermemory 238 and the result of the multiplication of y′G obtained from thecommunication partner, and memorizes the result K as a session key inthe buffer memory 238 (S20).

As a result, the IC card 210 a and the descrambler 260 can hold the samevalue key K (=K′), subsequently they can establish an ciphercommunication (S21) using the K(=K′) as a session key.

After generating of the session key K, the content key decrypting unit220 a in the IC card 210 a executes a content key decrypting processing.In this processing, the hashing function processing unit 222 calculatesa hashing value Hash of the CRL passed from the HD-DVD player 200 a inthe first place (S22). Next, the Ex-OR unit 223 carries out an exclusiveOR between own device key KD_A of the IC card 210 a memorized in thepublic key memory unit for certificate authority (CA) 231 and thehashing value Hash (S23). The Dec processing unit 224 decrypts theencrypted content key with the derived exclusive OR value, obtains thecontent key Kc (S24) and passes the content key Kc to the authenticationunit 237, then the content key decrypting processing is finished. Afterthe content key Kc is given, the authentication unit 237 encrypts itwith the session key K (S25) and sends it to the descrambler 260 via theSAC (S26). This prevents the content key Kc from wiretapping.

The authentication unit 277 in the descrambler 260 decrypts theencrypted content key received from the IC card 210 a using the sessionkey K′, obtains the content key Kc (S27) and passes the content key Kcto the Dec processing unit 280. The descrambler 260 decrypts theencrypted content with the content key Kc received from theauthentication unit 277 and obtains the content (S28). This enables thecontent to be decrypted with protecting the copyright.

Alternatively, it may be possible to replace the IC card 210 a anddescrambler 260 with HD-DVD player 200 a, and the CRL bounded to DVD 2 awith the CRL for which the self key is not revoked yet. In this case,the SAC is set as same with the above mentioned case and can go on tothe cipher communication step (S21) using the session key.

In this first embodiment, the CRL and the encrypted content key ringencrypted with information associated with the hashing value Hash of theCRL are to be bounded to the DVD 2 a. For this reason, when the casethat the CRL is replaced, the hashing value Hash of the replaced CRL andthe hashing value Hash of the CRL bound to the DVD 2 a do not match inits value. As a result, it is impossible to obtain a qualified contentkey Kc by decrypting an encrypted content using the hashing value Hashof the replaced CRL. For obtaining the qualified content key Kc fordecrypting the encrypted content, it is necessary to pass the CRL boundto the DVD 2 a in return.

Accordingly, it is possible to intensify the copyright protection byeliminating the decrypting device 200 a which conducts an illegaloperation such as a replacement of the CRL.

The Second Embodiment

FIG. 6 is an external view of an arrangement of the copyright protectionsystem 1 b for recording medium according to the second embodiment. Nowthat the components of the recording medium copyright protection system1 b are identified using the same numbers as those in the recordingmedium copyright protection system 1 a of the first embodiment, theexplanation is to be omitted except for parts of the recording mediumcopyright protection system 1 b that are different from the recordingmedium copyright protection system 19.

In the terminal device 110 a in the encryption device 100 a according tothe first embodiment, the Ex-OR unit 115 carries out the exclusive ORbetween the hashing value Hash of the CRL outputted from the hashingfunction processing unit 114 and the each device key. The Enc unit 116encrypts a content key Kc with the exclusive OR value and generates theencrypted content key ring. On the other hand, the terminal device 110 bin the encryption device 100 b according to the second embodiment, theEnc unit 117 encrypts the content key Kc only with each device keymemorized in the device key ring memory unit 112 and generates anencrypted content key ring encrypted only with each device key.

The terminal device 110 a in the encryption device 100 a according tothe first embodiment passes the content key Kc, without any change, tothe terminal device 160. So, the terminal device 160 encrypts a contentwith the content key Kc and generates the encrypted content. On theother hand, the terminal device 110 b in the encryption device 100 baccording to the second embodiment carries out the exclusive OR betweenthe hashing value Hash of the CRL outputted from the hashing processingunit 114 and the content key Kc in the Ex-OR unit 118 and passes it tothe terminal device 160. As a result, the terminal device 160 receivesthe exclusive OR value, encrypts the content with the exclusive ORvalue, and generates the encrypted content in the Enc unit 162.

Accordingly, there are no hashing values Hash associated with eachencrypted content key bound to the DVD2 b but the encrypted content isassociated with the hashing value Hash. This is a reverse case with theDVD 2 a.

The content key decrypting unit 220 a in the decrypting device 200 aaccording to the first embodiment calculates the exclusive OR betweenthe self device key KD_A memorized in the device key memory unit 221 inthe Ex-OR unit 223 and the hashing value Hash of the CRL. The Decprocessing unit 224 decrypts the encrypted content, on which the hashingvalue Hash is associated, with the exclusive OR value and obtains thecontent key Kc.

On the other hand, the content key decrypting unit 220 b in thedecrypting device 200 b according to the second embodiment decrypts theencrypted content key only using the self device key memorized in thedevice key memory unit 221 in the Dec processing unit 225 because thehashing value Hash isn't associated with the encrypted content key boundto the DVD2 b and obtains the content key Kc. Since the encryptedcontent bound to the DVD2 b is associated with the hashing value Hash,the Ex-OR unit 226 carries out the exclusive OR between the content keyKc obtained from the Dec processing unit 225 and the hashing value Hashof the CRL calculated in the hashing function processing unit 222 andpasses the obtained exclusive OR value to the authentication unit 237 inthe authentication processing unit 230 a.

The exclusive OR value between the content key Kc and the hashing valueHash is passed from the authentication unit 237 to the Dec processingunit 280 via the SAC and the authentication unit 277 in the descramble260. The Dec processing unit 280 obtains a content by decrypting theencrypted content associated with the hashing value Hash which isrecorded on the DVD2 b with the exclusive OR between the content key andthe hashing value Hash.

Accordingly, in the recording medium copyright protection system 1 baccording to the second embodiment, it is necessary to pass the CRLbound to the DVD 2 a to obtain a key for decrypting the content inreturn, as is the same case with the first embodiment. As a result, itis possible to intensify the copyright protection by eliminating thedecrypting device 200 b which conducts an illegal operation such as areplacement of the CRL.

The Third Embodiment

FIG. 7 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 c according to thethird embodiment. In this figure, functional parts corresponding to therecording medium copyright protection system 1 a according to the firstembodiment are not shown, and only the parts specific to the recordingmedium copyright protection system 1 c are shown.

The IC card 210 a in the decrypting device 200 c according to the firstembodiment simply passes the obtained content key Kc to the descrambler260 b. In this way, it is impossible for the IC card 210 a itself toknow whether or not the obtained key is a qualified key that cannormally decrypt the encrypted content. Accordingly, it is desirable topre-check that the content key Kc has the right value or not beforepassing the obtained content key Kc to the descrambler 260.

Accordingly, the copyright protection system for a recording medium 1 caccording to the third embodiment is a system having a key checkingfunction. The terminal device 110 c, used by the copyright protectionlicensor of the encryption device 100 c, has a fixed-pattern memory unit119 besides the componentry of the terminal device 110 a. Thefixed-pattern memory unit 119 memorizes a predetermined fixed-patternplaintext (i.e., fixed-pattern plaintext indicated in hex“0123456789ABCDEF”), which is encrypted with the content key Kc inadvance. This fixed-pattern memorized in the fixed-pattern memory unit119 is bound to the DVD2 c via the terminal device 160.

The content key decrypting unit 220 c set in the IC card 210 c in thedecrypting device 200 c includes a Dec processing unit 227 and a contentdecrypting key checking unit 228 besides the componentry of the contentkey decrypting unit 220 a. The Dec processing unit 227 decrypts theencrypted data of the fixed-pattern plaintext bound to the DVD 2 a withthe content key Kc decrypted by the Dec processing unit 224. The contentdecrypting key checking unit 228 pre-holds the above-mentionedfixed-pattern plaintext ‘0123456789ABCDEF’ and checks whether or not thedecrypting key Kc has a right value by checking whether or not thepre-hold fixed-pattern plaintext and the fixed-pattern plaintextdecrypted by the Dec processing unit 227 are the same value.

In accordance with the recording medium copyright protection system 1 c,it is possible to check, in advance, whether or not the content key Kchas the right value within the IC card 210 c. And it is avoidable toexecute the decrypting processing with a wrong content key Kc in thedescrambler 260.

In the recording medium copyright protection system 1 c according to thethird embodiment, although the key checking function is applied to therecording medium copyright protection system 1 a according to the firstembodiment, the key checking function may also be applicable to therecording medium copyright protection system 1 b according to the secondembodiment.

In such a case, since the content is encrypted with the exclusive ORbetween the content key Kc and the hashing value Hash of the CRL, thefixed-pattern memory unit 119 memorizes an encrypted fixed-patternplaintext ‘0123456789ABCDEF’ using the exclusive OR between the contentkey Kc and the hashing value Hash as a fixed-pattern in advance, andrecords it on the DVD2 c.

The Dec processing unit 227 in the content key decrypting unit 220 coutputs the Dec processing unit 224, that is, outputs the Ex-OR unit 226(refer to FIG. 6) in place of the content key KC, that is, decrypts theencrypted data of the fixed-pattern plaintext bound to DVD 2 a with theexclusive OR between the content key Kc and the hashing value Hash. Thecontent decrypting key checking unit 228 is able to check whether or notthe key for decrypting the decrypted content is a qualified key, inother words, whether or not the exclusive OR between the content key Kcand the hashing value Hash is a right value by checking whether or notthe pre-holding fixed-pattern plaintext ‘0123456789ABCDEF’ and thefixed-pattern plaintext decrypted in the Dec 227 are the same value.

The Fourth Embodiment

FIG. 8 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 d according to theforth embodiment. In this figure also, the functional partscorresponding to the recording medium copyright protection system 1 aaccording to the first embodiment are not shown and only the partsspecific to the recording medium copyright protection system 1 d areshown.

The recording medium copyright protection system 1 d according to theforth embodiment is a system that has a key checking function the sameas the recording medium copyright protection system 1 c. The terminaldevice 110 d in the encryption device 100 d includes an Enc unit 131besides the componentry of the terminal device 110 a. The Enc unit 131generates a content key reference data encrypted with the content key Kcread out from the content key memory unit 113. The content key referencedata is bound to the DVD2 d.

On the other hand, the content key decrypting unit 220 d set in the ICcard 210 d in the decrypting device 200 d includes an Enc unit 241 and acontent key checking unit 242 besides componentry of the content keydecrypting unit 220 a. The Enc unit 241, as is the same constructionwith the Enc unit 131 in the terminal device 110 d, encrypts the contentkey decrypted in the Dec processing unit 224 with the content key Kc andgenerates the content key reference data. The content key checking unit242 matches up the content key reference data generated in the Enc unit241 with the content key reference data bound to the DVD2 d and checksif both data have the same value by checking whether or not the contentkey Kc decrypted by the Dec processing unit 224 is the qualified key,that is, whether or not the key can be used for decrypting the encryptedcontent.

As stated above, in accordance with the recording medium copyrightprotection system 1 d, it is possible to check whether or not thecontent key Kc has the right value within the IC card 210 d in advanceas same with the recording medium copyright protection system 1 c. Andit is avoidable to execute the decrypting processing with a wrongcontent key Kc in the descrambler 260.

In the recording medium copyright protection system 1 d according to theforth embodiment, although the key checking function is applied to therecording medium copyright protection system 1 a according to the firstembodiment, the key checking function may also be applicable to therecording medium copyright protection system 1 b according to the secondembodiment.

In such a case, since the content is encrypted using the exclusive ORbetween the content key Kc and the hashing value Hash of the CRL, theEnc unit 131 outputs the content key memory unit 113, that is, outputsthe Ex-OR unit 118 in place of the content key KC, that is, decrypts theencrypted data of the fixed-pattern plaintext bound to DVD 2 a using theexclusive OR between the content key Kc and the hashing value Hash andrecords it as a content key reference data on the DVD2 c.

On the other hand, the Enc unit 241 in the content key decrypting unit220 d outputs the Dec processing unit 224, that is, outputs the Ex-ORunit 226 (refer to FIG. 6) in place of the content key KC, that is,encrypts the exclusive OR value between the content key Kc and thehashing value Hash using the exclusive OR value. The content keychecking unit 242 checks whether or not the key generated in the Ex-ORunit 226 is the qualified key for decrypting the encrypted content bycomparing the content key reference data generated in the Enc unit 241and the content key reference data bound to the DVD2 d.

The Fifth Embodiment

FIG. 9 is a functional block diagram that shows an overall configurationof the recording medium copyright protection system 1 e according to thefifth embodiment. In this figure also, the functional partscorresponding to the recording medium copyright protection system 1 aaccording to the first embodiment are not shown, and only the partsspecific to the recording medium copyright protection system 1 e areshown.

The recording medium copyright protection system 1 e according to thefifth embodiment is a system that has a key checking function that isthe same as the recording medium copyright protection systems 1 c and 1d, and its component are the same as the encryption device 100 daccording to the forth embodiment. The content key reference datagenerated from the Enc unit 131 is bound to the DVD2 d.

The content key decrypting unit 220 e set in the IC card 210 e of thedecrypting device 200 e which includes a Dec processing unit 243 and acontent key checking unit 244 besides the componentry of the content keydecrypting unit 220 a. The Dec processing unit 243 is encrypted in theEnc unit 131 as stated above and decrypts the content key reference databound to DVD2 d with the content key Kc decrypted in the Dec processingunit 224. The content key checking unit 244 which matches up the contentkey Kc decrypted in the Dec processing unit 224 with the content key Kcdecrypted in the Dec processing unit 243, and checks if both keys havethe same value by checking if the content key Kc decrypted by the Decprocessing unit 224 is the qualified key or not, that is, whether or notthe key can be used for decrypting the encrypted content.

As stated above, in accordance with the recording medium copyrightprotection system 1 e, it is possible to check whether or not thecontent key Kc has the right value within the IC card 210 d in advanceas same with the recording medium copyright protection systems 1 c and 1d. And it is avoidable to execute useless decrypting processing using awrong content key Kc in the descrambler 260.

In the recording medium copyright protection system 1 e according to thefifth embodiment, although the key checking function is applied to therecording medium copyright protection system 1 a according to the firstembodiment, the key checking function may also be applicable to therecording medium copyright protection system 1 b according to the secondembodiment.

In such a case, since the content is encrypted using the exclusive ORbetween the content key Kc and the hashing value Hash of the CRL, as isthe same with the forth embodiment, the Enc unit 131 outputs the contentkey memory unit 113, that is, outputs the Ex-OR unit 118 in place of thecontent key KC, that is, decrypts the encrypted data of thefixed-pattern plaintext bound to DVD 2 a using the exclusive OR of thecontent key Kc and the hashing value Hash and records it as a contentkey reference data to the DVD2 c.

On the other hand, the Dec processing unit 243 in the content keydecrypting unit 220 e outputs the content key decrypting data read fromthe DVD2 c to the Dec processing unit 224, that is, outputs the Ex-ORunit 226 (refer to FIG. 6) in place of the content key KC, that is,decrypts using the exclusive OR value between the content key Kc and thehashing value Hash. The content key checking unit 244 checks whether ornot the key generated in the Ex-OR unit 226 is the qualified key thatcan decrypt an encrypted key, that is, compares whether or not theexclusive OR value between the content key Kc and the hashing value Hashwith the key decrypted by the Dec processing unit 243 match.

The Sixth Embodiment

FIG. 10 is a functional block diagram that shows an overallconfiguration of the recording medium copyright protection systemaccording to the sixth embodiment. In the recording medium copyrightprotection systems 1 a to 1 e, as stated-above, the CRL checking unit235 checks the CRL bound to the DVD and judges whether or not thecommunication partner (descrambler 260) is revoked. With this check,however, it is impossible to revoke the descrambler 260 when the publickey certificate of the communication partner (descrambler 260) isrevoked after updating the CRL if the time of the production of the DVDis well before, that is, the CRL bound to the DVD is old. For thisreason, it is necessary to make judgment of whether or not thecommunication partner (descrambler 260) is revoked using a CRL that isthe latest possible.

Therefore, the recording medium copyright protection system if accordingto the sixth embodiment has a latest edition CRL memory processing unit239 besides the componentry of the authentication processing unit 230 ain the authentication processing unit 230 b in the IC card 210 f in thedecrypting device 200 f.

The latest edition CRL memory processing unit 239 is a processing unitoperable to memorize a latest edition CRL, which is extracted from theCRL received hitherto, and hold it in the decrypting device 200 f. Theprocessing unit includes a latest edition detecting processing unit2391, a latest edition detecting information memory unit 2392 and amemory unit 2393.

The latest edition detecting processing unit 2391 conducts averification processing pf whether or not the CRL is the latest withevery receiving of the CRL bound to the DVD 2 a.

The latest edition detecting information memory unit 2392 memorizes thelatest edition detecting information of the CRL (i.e. file size of thelist) held by the decrypting device 200 f.

The memory unit 2393 memorizes the hashing value Hash (i.e., 128 bit) ofthe CRL held by the decrypting device 200 f. The reason for that is,when a large size of the CRL is memorized and is held in the IC card 210f inside, the cost effectiveness for the IC card 210 f will become high.That is, in this embodiment, a latest edition CRL memory unit 250 isinstalled outside of the IC card 210 f (and inside of the decryptingdevice 200 f) and memorizes a latest edition CRL so as to memorize/holdonly the hashing value Hash of the list in the memory unit 2393 of theIC card 210 f inside. When the CRL checking unit 235 checks whether ornot the communication partner is a revoked device, the latest editionCRL is read out to the IC card 210 f and checks it with the hashingvalue Hash.

More specifically, when a new CRL bound to the DVD 2 a is received, thelatest edition detecting processing unit 2391 executes the verificationprocessing whether or not the CRL is a latest edition as amid-processing of holding (or not holding) a CRL as shown in the flowchart of FIG. 11A.

That is, the latest edition detecting processing unit 2391 compares afile size, which is recoded in a header of the CRL bound to the DVD 2 a,with a size memorized in the latest edition detecting information memoryunit 2392 (S101). This comparison is made on the basis of thecharacteristic of the CRL that the revoked computers increasemonotonously and the file size becomes large as the time goes by.

As a result, when the file size of the CRL bound to the DVD 2 a islarger (“YES” in S101) than the previous one, that is, when the CRL readout from the DVD 2 a at the present moment is the latest, the file sizeof the latest edition is to be updated by storing (overwriting) the listin the latest edition detecting information memory unit 2392 (S102). Thelatest edition detecting processing unit 2391 calculates a hashing valueHash of a latest edition list, stores the hashing value Hash in thememory unit 2393 (S103), stores the latest edition list in a latestedition CRL memory unit 250 (S104), and transfers the latest editionlist to the CRL checking unit 235 (S105). Thus the confirmationverification processing ends.

On the other hand, when the file size of the CRL bound to the DVD 2 a isnot larger (“NO” in S101) than the previous one, that is, the CRL whichis read out from the DVD 2 a at the present moment is not the latest,then the latest edition detecting processing unit 2391 ends theconfirmation verification processing immediately. When it is necessaryto have a latest CRL, a processing of reading out the latest CRL isexecuted, as shown in FIG. 11B.

In that reading-out processing, the latest edition detecting processingunit 2391 reads out the latest edition list from the outside of thememory unit, that is, the latest edition CRL memory unit 250 (S111),calculates the hashing value Hash of the latest edition list (S112), andverifies whether or not the calculated hashing value Hash matches thehashing value Hash memorized in the memory unit 2393 (S113). Thisverification is conducted for detecting whether or not a replacement iscarried out. When it has been not carried out, the two hashing valuesHash match.

When the hashing value Hash matches (‘Yes’ in S113), the latest editiondetecting processing unit 2391 transfers the latest edition list readout from the CRL latest edition list memory unit 250 to the CRL checkingunit 235 (S114) and ends the latest edition list reading-out processing.On the other hand, when the two hashing values Hash don't match (‘NO’ inS113), the latest edition detecting processing unit 2391 stops theprocessing (S115) and ends the reading-out processing. When the casethat the latest CRL is not read out because of the mismatch of the twohashing value Hash, the latest edition detecting processing unit 2391assumes that some unauthorized use was conducted, and terminates all theprocessing (rejects an authentication of the partner computer) after theprocessing of using the CRL.

As a result, in accordance with the copyright protection system for therecording medium 1 f of the sixth embodiment, the latest list within theread out CRL from the DVD 2 a is held in the is latest edition CRLmemory unit 250 and be used. Thus, it is avoidable to authenticate apartner device using the old CRL.

Additionally, the file size is used in a way for confirming the latestedition list according to the sixth embodiment, however, a numbers ofthe certificate (the serial entry number) registered in the CRL may alsobe used for this confirmation processing.

An explanation for an example where the decrypting devices 200 a to 200f for the recording medium according to the embodiment of the copyrightprotection system for the present invention are applied to the HD-DVDplayer is made with reference to figures.

Reference is now made to FIG. 12 which illustrates an external view ofan arrangement of the HD-DVD player which includes the decryptingdevices 200 a to 200 f for the recording medium according to theembodiment of the present invention.

The HD-DVD player 200 is a system that plays back a content (i.e.,movies) recorded on the DVD 2 a to 2 d using the IC card 210 a to 210 f.It comprises of a card inserter 2100 that the IC card 210 a to 210 f areto be inserted, a DVD-ROM drive 2200 that plays back the DVD 2 a to 2 d,and the descrambler 260 that is implemented inside of the HD-DVD player200.

In addition, the IC card 210 a, to 210 f is a plastic card, that the ICtip, including CPU, is embedded and a card which is able to verifywhether or not an access is the qualified access when reading out thedata. As a result of this, it is very hard for an outsider to conduct anunauthorized use or to tamper, thus, the high security is guaranteed.

For applying the encryption device according to the present invention toan image-playback system, the digital production recorded on the DVD 2 ato 2 d can be protected from illegal copying. The development of thepresent invention in the multimedia related products circulation marketis to be prospected.

The Seventh Embodiment

Reference is now made to FIG. 13 which illustrates a functional blockdiagram that shows an overall configuration of the recording mediumcopyright protection system 1 g according to the seventh embodiment. Nowthat the functional elements of the recording medium copyrightprotection system 1 g are put the same numbers corresponding to those ofthe recording medium copyright protection system 1 a of the firstembodiment. The explanation is to be omitted except the different partsof the recording medium copyright protection system 1 a.

The encryption device 100 a according to the first embodiment stores twokeys, the device key ring KD_A and the content key Kc to the device keyring memory unit 112 and the content key memory unit 113, respectively.Then, the content key Kc is encrypted with the device key ring KD_A withwhich the hashing value Hash of the CRL is associated and generates theencrypted content key. That is, the encryption device is double layeredwith the device key KD_A and the content key Kc. This constructionusually makes the encryption intensify against an attack.

However, there are licensors who want to further intensify theencryption. Therefore, the terminal device 110 e in the encryptiondevice 100 e according to the seventh embodiment further intensifies theencryption by adopting an triple layered construction, with the devicekey KD_A, the content key Kc, as mentioned-above, and a disk key Kd.

In other words, the terminal device 110 e in the encryption device 100 eincludes a hashing function processing unit 114 that memorizes the diskkey Kd, and an Enc unit 142, 143 besides the CRL memory unit 111, thedevice key ring memory unit 112, content key memory unit 113, thehashing function processing unit 114 and the Ex-OR unit 115. Inaddition, this disk key Kd is located in the upper layer of the DVD withconsidering that the DVD records a plurality of content (approx.7).

The Enc unit 142 encrypts the disk key Kd memorized in the disk keymemory unit 141 using the exclusive OR between the hashing value Hashand the each device key KD_A and generates an encrypted disk key ring.

The Enc unit 143 encrypts the content key Kc memorized in the contentkey memory unit 113 using the disk key Kd and generates the encryptedcontent key.

As a result, the terminal device 160 binds the encrypted content, theCRL, the encrypted disk key ring generated by the Enc unit 142,143 andthe encrypted content key, to the DVD2 e.

In response to above, the content key decrypting unit 220 f in the ICcard 210 g, which is in the decrypting device 220 f, memorizes only thedevice key KD_A and decrypts the disk key Kd by decrypting the encrypteddisc key ring bound to the DVD2 e using the device key KD_A and thehashing value Hash of the CRL. Furthermore, it decrypts the content keyKc by decrypting the encrypted content key bound to DVD2 e with the diskkey Kd.

In other words, the content key decrypting unit 220 f includes Decprocessing unit 245 and 246 besides the device key memory unit 221, thehashing function processing unit 222 and the Ex-OR unit 223.

The Dec processing unit 245 decrypts the disk key Kd by decrypting theencrypted disk key ring passed by the descrambler 260 using the hashingvalue Hash of the device key KD_A and the hashing value Hash of the CRL.

The Dec processing unit 246 decrypts the content key Kc by decryptingthe encrypted content key passed from the descrambler 260 using the diskkey Kd.

Accordingly, the recording medium copyright protection system 1 gaccording to the seventh embodiment, as same case with the firstembodiment, should give the CRL bound to the DVD2 e for obtaining thekey for decrypting the content in return. This enables not onlyelimination of the illegal descrambler 260 that conducts a replacementof the CRL, but also intensifies the copyright protection further,because the secret key is triple layered. As a result, the encryptionintensity increases against an attack.

Additionally, although the secret key is triple layered in thisembodiment, it may be possible for it to be multilayered. In that case,the encryption intensity becomes higher against an attack.

Also, the terminal device 110 e may possibly include further aconfirmation data outputting unit that outputs the confirmation data,which is to be a criterion for verifying whether or not the decryptedcontent key is the qualified key in the decrypting device 200 k, to theDVD2 e. In this confirmation data outputting unit may function asoutputting a data obtained by encrypting the predetermined fixed-patterndata using the content key memorized in the content key memory unit 113as a confirmation data to the DVD2 e. Also, in correspond to theterminal device 110 e, the content key decrypting unit 220 f may includea content decrypting key checking unit 228, a content key checking unit242 and a content decrypting key checking unit 244 to verify whether ornot the decrypted content key is the qualified key.

The Eighth Embodiment

reference is now made to FIG. 14 which illustrates an external view ofan arrangement of a recording medium copyright protection system 1 haccording to the eighth embodiment. Now that the functional elements ofthe recording medium copyright protection system 1 h are put the samenumbers corresponding to those of the recording medium copyrightprotection system 1 g of the seventh embodiment. The explanation is tobe omitted except the different part of the recording medium copyrightprotection system 1 g.

The terminal device 110 e in the encryption device 100 e according tothe seventh embodiment encrypts the disk key Kd memorized in the diskkey memory unit 141 using the exclusive OR value between the hashingvalue Hash and the each device key KD_A, and generates the encrypteddisk key ring, along with that, encrypts the content key memorized inthe content key memory unit 113 with the disk key Kd and generates theencrypted content key. As a result, the terminal device 110 e increasesthe encryption intensity against an attack, however a load for the twodecrypting processing becomes high. In the content key decrypting unit220 f also, a load for the two decrypting processing becomes high.

Therefore, the terminal device 110 f in the encryption device 100 f,according to the recording medium copyright protection system 1 h,reduces the load by cutting out a processing of encrypting the contentkey Kc by using a medium ID memory unit 144 to memorize the medium IDand a MID that specific to every DVD, in place of the content key memoryunit 113 and a one-way function unit 145 that generates a content key Kcbased on the medium ID, and the MID in place of the Enc unit 143.

In other words, the terminal device 110 f in the encryption device 100 ffurther includes the medium ID memory unit 144 and the one-way functionunit 145 besides the CRL memory unit 111, the device key ring memoryunit 112, the hashing function processing unit 114, the Ex-OR unit 115,the disc key memory unit 141 and the Enc unit 142.

The one-way function unit 145 (i.e.Ex-OR) generates a content key Kc byinputting a medium ID memorized in the medium ID memory unit 144, a MIDand a disk key Kd into the one-way function. The load of the processingof generating the content key Kc is much lighter than that of theprocessing of generating the encrypted content key in the Enc unit 143,shown in FIG. 13.

The terminal device 160 binds an encrypted disk key ring generated bythe Enc unit 142, a medium ID outputted by the is medium ID memory unit144 and a MID, besides the CRL and the encrypted content, to the DVD2 f.

On the other hand, the content key decrypting unit 220 g in the IC card210 h of the decrypting device 200 h memorizes only the device key KD_A,decrypts the disk key Kd by decrypting an encrypted disk key ring boundto the DVD2 e and the hashing value Hash of the CRL and generates thecontent key Kc based on the medium ID, the MID and the disk key Kd whichare bound to DVD2 e.

In other words, the content key decrypting unit 220 g further includes aone-way function unit 247, the same construction with the unit 145,besides the device key memory unit 221, the hashing function processingunit 222, the Ex-OR unit 223 and the Dec processing unit 245.

The one-way function unit 247 generates the content key Kc by processingthe medium ID and the MID put into the one-way function unit 247 usingthe disk key Kd. A load for this content key Kc generating processing islighter than that of the content key decrypting processing in the Decprocessing unit 246 of FIG. 13.

It is easy for the medium ID and the MID to be known because they arebound to the DVD2 f, however, the construction of the one-way functionunit 145 and 247 is hard to be known, as is the same case with thesecret key.

Accordingly, because the recording medium copyright protection system 1h according to the eighth embodiment should pass the CRL bound to theDVD 2 a for getting a key for decrypting content in return, same as thefirst embodiment, this enables to eliminate the descrambler 260 whichconducts an unauthorized use, such as a replacement of the CRL, andincrease the encryption intensity against an attack. Thus the encryptionintensity further increases for the copyright protection and reduces theload for the terminal device 110 f and the content key decrypting unit220 g.

In addition, the terminal device 110 f may further include aconfirmation data outputting unit to output the confirmation data to theDVD2 f. The confirmation data is to be a criterion for confirmingwhether or not a content key decrypted in the decrypting device 200 h isthe qualified key. The confirmation data outputting unit may alsoencrypt the predetermined fixed-pattern data using the content keymemorized in the content key memory unit 113 and output it as aconfirmation data. Also, the confirmation data outputting unit mayoutput a data obtained by encrypting the content key using the contentkey as a confirmation data, to the DVD2 f. In response to the terminaldevice 110 f, the content key decrypting unit 220 f may include acontent decrypting key checking unit 228, a content key checking unit242, and a content decrypting key checking unit 244.

The Ninth Embodiment

Reference is now made to FIG. 15 which illustrates a functional blockdiagram that shows an overall configuration of the recording mediumcopyright protection system 1 i according to the ninth embodiment. Nowthat the functional elements of the recording medium copyrightprotection system 1 i is put the same number corresponding to those ofthe recording medium copyright protection system 1 a of the firstembodiment. The explanation is to be omitted except for the differentparts of the recording medium copyright protection system 1 a.

By the way, it is also necessary for a DVD medium to have a copyrightprotection, as is the same case with the HD-DVD, because the DVD is veryhigh for its affinity with a personal computer (PC). As a result, theDVD can be read out in a personal computer (PC). When the DVD drive ismounted to the PC, at the same time, the PC installs the playbacksoftware in the hard disk so as to view a content using the PC as adecrypting device, as is the same case with the DVD-HD.

The decrypting device 200 a includes the IC card 210 a and thedescrambler 260 according to the first embodiment, however, thedecrypting device for PC generally includes the DVD drive and theplayback software.

Therefore, the decrypting device 200 i comprises of a DVD drive 400,which includes the descrambler 260 and the authentication processingunit 270, and a DVD playback PC software 500 which includes the IC card210 a and the Dec processing unit 280 in the descrambler 260. Forfurther information, the manufacturer for the DVD drive 400 is differentfrom its DVD playback PC software 500.

The DVD drive 400 is the same construction with the authenticationprocessing unit 270. The DVD drive 400 includes a public key certificatememory unit for the bus authentication 410, a secret key memory unit fora bus authentication 420, a public key decrypting unit 430, a keycalculating unit 440 and a bus encryption unit 450.

The public key certificate memory unit for the bus authentication 410 inthe DVD drive 400 memorizes a public key certificate for the busauthentication, such as an IDE bus and a SCSI bus, in advance, andpasses the public key certificate for the bus authentication to the DVDplayback PC software 500 when the DVD 2 a plays back content.

The secret key memory unit for the bus authentication 420, the publickey decrypting unit 430, the key calculating unit 440 and the busencryption unit 450 generate a session key K and form a SAC between theDVD playback PC software 500.

The DVD playback software 500 includes a certificate qualificationchecking unit 510, a public key validity checking unit 520, a public keyencryption unit 530, a verification unit 540, a key calculating unit550, a bus decrypting unit 560, a hashing function processing unit 570,a device key memory unit 580, and a Dec processing unit 590, 595. Theabove each unit is implemented in a software, a CPU in the PC and amemory, etc.

The certificate qualification checking unit 510 checks whether or notthe certificate is qualified by decrypting the certificate sent from thepublic key certificate memory unit for the bus authentication 410 withthe public key.

The public key validity checking unit 520, upon receipt of the noticefrom the certificate qualification checking unit 510 that thecertificate is qualified, checks whether or not the DVD drive is revokedwith reference to the CRL for the bus authentication received via theDVD drive 400 and the latest CRL for the bus authentication which readout from the latest edition CRL memory unit 250.

When the public key encryption unit 530, the verification unit 540, thekey calculating unit 550, and the bus decrypting unit 560 receive thenotice from the public key validity checking unit 520 that the DVD drive400 is not revoked, that is, the DVD drive 400 is qualified, a sessionkey K′ is generated, and the SAC is formed between the DVD drive 400.

The public key encryption unit 530 calculates a hashing value Hash ofthe CRL.

The device key memory unit 580 memorizes the device key KD_A in advance.

The Dec processing unit 590 generates a content key Kc based on theencrypted content key outputted from the bus decrypting unit 560, thehashing value Hash outputted from the hashing function processing unit570 and the device key kD_A.

The Dec processing unit 590 generates a content by decrypting theencrypted content bound to the DVD 2 a using the content key Kc.

Here is an explanation for the authentication processing executedbetween the DVD drive 400 and the DVD playback PC software 500.

The public key encryption unit 530 generates a random number cha uponreceipt of the notice that the DVD drive is qualified, encrypts thegenerated random number cha using the partner public key for the busauthentication and transfers the encrypted random number cha to thepublic key decrypting unit 430.

The public key decrypting unit 430 obtains the random number cha bydecrypting the encrypted random number cha using the secret key for thebus authentication memorized in the secret key memory unit for the busauthentication memory unit 420. The public key decrypting unit 430encrypts the random number cha and the self secret key using the partnerpublic key for the bus authentication, transfers the result of theencryption to the verification unit 540 and passes the random number chaand the secret key to the key calculating unit 440. The key calculatingunit 440 calculates the session key K based on the random number cha andthe secret key and passes it to the bus encryption unit 450. The busencryption unit 450 encrypts the encrypted content key ring and sendsthe doubly encrypted content key ring to the DVD playback PC software500.

On one hand, the verification unit 540 in the DVD playback PC software500 verifies whether or not the random number cha obtained by decryptingwith the self secret key matches the original random number cha, andwhen they match each other, the random number cha and the partner secretkey are passed to the key calculating unit 550. The key calculating unit550 calculates the session key K′ using the random number cha and thepartner secret key and passes to the bus decrypting unit 560. The busdecrypting unit 560 decrypts the doubly encrypted content key ring usingthe session key K′, generates the encrypted content key ring and outputsthe encrypted content key ring to the Dec processing unit 590.

On the other hand, the hashing function processing unit 570 calculatesthe hashing value Hash of the CRL outputted from the DVD drive andoutputs the hashing value Hash to the Dec processing unit 590. The Decprocessing unit 590 decrypts the content key to the encrypted valueusing the device key KD_A by calculating the exclusive OR between theencrypted content key ring and the hashing value Hash, and furtherdecrypts the content key Kc by decrypting the device key KD_A and passesit to the Dec processing unit 595. The Dec processing unit 595 decryptsthe encrypted content bound to the DVD 2 a using the content key Kc andplays back the content.

Accordingly, the decrypting device 200 i of the recording mediumcopyright protection system 1 i according to the ninth embodiment, thatis, the PC including the DVD drive 400 and the DVD playback PC software500 should pass the CRL bound to the DVD 2 a for getting a key fordecrypting a content in return, as is the same case with the HD-DVD. Asa result, it enables for the computers to eliminate an illegaldescrambler 260 which conducts an unauthorized use such as a replacementof the CRL and the copyright is thus protected.

In addition, the decrypting device 200 i, that is, when the case that aPC is connected to Internet, the decrypting device 200 i accesses theterminal device 300 when the DVD2 e plays back, downloads the latest CRLfrom the terminal device 300 and checks whether or not the DVD drive 400is revoked in the public key validity checking unit 520 using thedownloaded latest CRL.

The decrypting device 200 i according to the ninth embodiment includesthe DVD drive 400 and the DVD playback software 500, however, the DVDplayback PC software only has, what we call, a “descramble” function.So, in this case, it is assumed that the decrypting device 200 i shouldbe used with connecting to the licensor supply protection module A. Inother words, the PC should is be fixable for the IC card 210 a and thedecrypting device 200 i, and the DVD drive 400 may be included in the ICcard 210 a and the DVD playback PC software partially in the Decprocessing unit in this PC.

In that case, the content may be played back by decrypting the encryptedcontent read out from the DVD drive 400 after setting the SAC betweenthe DVD drive 400 and the IC card 210 a, and between the IC card 210 aand the Dec processing unit 595 in the DVD playback PC software.

In addition, the encryption device 100 a may further include theconfirmation data outputting unit to output the confirmation data, whichis to be a criterion for confirming whether or not the content keydecrypted in the decrypting device 200 i is the qualified key, to theDVD 2 a. When the case that the confirmation data outputting unitfunctions as of outputting data as a confirmation data to the DVD2 f andthe data which is obtained by encrypting the predetermined fixed-patterndata using the content key memorized in the content key memory unit 113or the case of outputting data as a confirmation data to the DVD2 f andthe data which is obtained by encrypting the content key using thecontent key, in corresponding to the terminal device 110 a, the contentkey decrypting unit 220 i includes the content decrypting key checkingunit 228 that checks whether or not the content key is the qualifiedkey, the content key checking unit 242, and the content decrypting keychecking unit 244.

The copyright protection system for the present invention according tothe embodiments is explained above. However, the present invention isnot limited to those embodiments.

For example, in the above embodiment for the copyright protectionsystem, the digital production is transmitted via the DVD medium,however, a system for transmitting the digital production via thetransmission medium such as Internet is applicable to the presentinvention. In other words, it is applicable for a system by replacingthe way of “recording to the record medium” to “sending to thetransmission line”, and “reading out from the recording medium” to“receiving from the transmission line”, to the present invention.

In addition, the present invention is applicable for a system thattransfers the digital production by combining a recording medium and atransmission medium. That is, an encrypted content may well be suppliedby a recording medium such as DVD, and a key for decrypting theencrypted content and a CRL are supplied by a transmission medium, thenetwork delivery. The reverse case, a key is to be supplied by therecording medium, and an encrypted content is to be supplied by atransmission medium, the network delivery, is also applicable. In thissystem that transfers the digital production by combining of therecording medium and the transmission medium, it is selectable what canbe supplied by the recording medium within the encrypted contents andthe keys, and what can be supplied by the transmission medium, thenetwork delivery.

In the above embodiment, the copyright protection module (tampertolerant module) is applied to the IC card 210 a to 210 f, however, aLSI 210 i which integrates each configuration of IC card 210 a to 210 fto one chip can be applied and the LSI 210 i may well be mounted to asocket 210 j or mounted by soldering on to a board. Also, in the aboveembodiment, the IC card 210 a to 210 f is supplied by the copyrightprotection licensor, however, the IC card 210 a to 210 f manufactured bythe manufacturer of the decrypting device 200 a to 200 f or the LSI 210i can be used in place of the IC card 210 a to 210 f.

Also, in the above embodiment, the copyright protection system accordingto the present invention is applied to a wide area between theencryption device 100 a to 100 f of the copyright protection licensor orthe content manufacturer and the decrypting device 200 a to 200 f usedby the user, however, the system is also applicable to a small area,such as domestic area or to the intranet when a processing of the ciphercommunication is executed.

The Tenth Embodiment

FIG. 17 is a block diagram that shows an overall configuration copyrightprotection system which establishes a cipher communication with thecontent via home LAN, and FIG. 18 is a block diagram that shows aconstruction of an AV server 100 j, each plasma TV 200 k, a VTR 200 m,and a DVD recorder 200 n of FIG. 17 and FIG. 18. In FIG. 18, since theconstruction of the plasma TV 200 k, the VTR 200 m, and the DVD recorder200 n are the same with the copyright protection system, only the plasmaTV 200 k is shown as an example.

The copyright protection system 1 j includes a home LAN 30 as atransmission medium, an AV server 100 j which connects to the home LAN30, a plasma TV 200 k as a client, a VTR 200 m and a DVD recorder 200 n.

Although the AV server 100 j almost has the same components as theencryption device 100 a, as shown in FIG. 1, the AV server 100 j storesthe content received from out-of-home in the content memory unit 161,which includes a HDD, and delivers the content by request of thememorized content delivery via the home LAN 30. This is the differentpoint.

More specifically, the AV server 100 j receives content from a broadcaststation 100 g via a broadcast (BS, CS) or broadcast network of aterrestrial broadcast 3 a, from a server 100 h of a content provider viainternet network 3 b, or from a CATV broadcast 100 i via CATV network 3c, and memorizes the content to the content memory unit 161.

The AV server 100 j includes a session key memory unit 112 a. Whendelivering request of the content memorized in the content memory unit161 from a client such as the plasma TV 200 k is received, a SAC isformed between the plasma TV 200 k based on the delivering request. Asession key Kses, obtained when the SAC is formed, is memorized in thesession key memory unit 112 a and encrypts the content key Kc using thesession key Kses in place of the device key used in the encryptiondevice 100 a. The encryption device 100 a encrypts the content key Kcusing the device key, that is, the session key Kses is used in place ofthe device key. This is the different point from the encryption device100 a.

On the other hand, the plasma TV 200 k, the VTR 200 m and the DVDrecorder 200 n are almost the same components with the decrypting device200 a as shown in FIG. 1, however, the plasma TV 200 k, the VTR 200 mand the DVD recorder 200 n each include a session key memory unit 221 afor memorizing a session key obtained when the SAC is formed between theAV server 100 j, and decrypt the content key Kc using the session keyKses memorized in the session key memory unit 221 a. This is thedifferent point with the decrypting device 200 a which decrypts thecontent key Kc using the device key KD_A.

A processing between the AV server 100 j and the plasma TV 200 kaccording to the copyright protection system 1 j is to be describedbelow with focusing on the different point with the copyright protectionsystem 1 a.

The AV server 100 j conducts a SAC processing between the plasma TV 200k using an Elliptical Curve Cryptography (ECC) by request of the contentdelivery from a client, the DVD recorder 200 n. The AV server 100 j andthe plasma TV 200 k hold the same value session key Kses as each other.The AV server 100 j memorizes the session key Kses in the session keymemory unit 112 a. The content key decrypting unit 220 h, in thecopyright protection module 210 k of the plasma TV 200 k, memorizessession key Kses to the session key memory unit 221 a. The Ex-OR unit115 in the AV server 100 j carries out the exclusive OR between thesession key Kses which is is shared between the plasma TV 200 k and thehashing value of the CRL. The Enc unit 116 encrypts the content key Kcusing a value obtained by the Ex-OR unit as a key. The Enc unit 162encrypts a content which is a requested AV data using the content key.After the encryption of the content key and the content is finished, theAV server 100 j sends the encrypted content key, the encrypted contentand the CRL to the plasma TV 200 k via the home LAN 30.

The copyright protection module 210 k in the plasma TV 200 k receivesthe CRL and the encrypted content which has been sent via the home LAN30. The descrambler 260 receives the CRL and the encrypted content. TheEx-OR unit 223 in the content key decrypting unit 220 h, which is in thecopyright protection module 210 k of the plasma TV 200 k, carries outthe exclusive OR between the session key Kses memorized in the sessionkey memory unit 221 a and the hashing value of the CRL obtained by thehashing function processing unit 222. The Dec processing unit 224decrypts the content key using a value obtained in the Ex-OR unit 223 asa key.

A SAC processing is conducted between the copyright protection module210 k in the plasma TV 200 k and the descrambler 260, based on the CRL,and the session key KK is shared.

The authentication unit 237 in the copyright protection module 210 kencrypts the content key Kc using the shared session key KK and sendsthe content key Kc to the descrambler 260. The authentication unit 277in the descrambler 260 decrypts the content key Kc. The Dec processingunit 280 decrypts the encrypted content with the obtained content keyKc.

Accordingly, it is easy to use the content for a client who uses acomputer connected to a relatively small-scale network, such as domesticnetwork or intranet. Furthermore, the copyright protection is strictlycontrolled on to the end user.

Also, in the tenth embodiment, the session key Kses is used in is placeof the device key, however, a secret key Ks can be shared between the AVserver 100 j and the plasma TV 200 k in advance, and be used in place ofthe session key. For checking up whether or not the decrypted contentkey is the qualified key, predetermined fixed pattern data describedabove can be sent with the CRL and determines in the copyrightprotection module 210 k.

In addition, various kinds of encryption devices or decrypting devicesare realized by combining the above processing of ten embodiments. Thatis, in the case of the encryption, (1) when we call each processing;

i. en encryption for a secret key

ii. an transformation by the one-way function

as a layer; it is selectable for the system to be double layered ortriple layered, (2) as for a key for the encryption of the content, itis selectable for the key to be a content key or to be a function valueobtained by transforming a medium ID in the one-way function, (3) as forthe associating object for the hashing value of the CRL, it isselectable for the object to be the device key, the disk key, thecontent key, the medium ID, the session key or to be the function valueobtained by transforming the medium ID in the one-way function.Accordingly, various forms of the encryption device, the decryptingdevice and the IC card are realized by combining the above independentthree parameters (1), (2) and (3) arbitrary.

Also, a number of layers for the above encryption (or decrypting) of asecret key, etc., are not limited only 1 to 3. The layer can be exceededof 3. In consideration of these variations, the encryption device, thedecrypting device, and the IC module (secret key generation device) forthe present invention is to be described as below.

That is, regarding an encryption method using a content key;

an encrypting method in an encryption device that encrypts a digitalproduction and outputs the encrypted digital production to a recordingmedium or a transmission medium, the encrypting method includes:

(1) an encrypting step for repeating a chain encryption process, for afirst secret key through an (n−1)^(th) secret key, of encrypting thedigital production using the first secret key out of n (≧2) secret keysand encrypting an (i−1)^(th) secret key using an i (2≦i≦=n)^(th) secretkey; and

(2) an outputting step for outputting the encrypted first secret keythrough the (n−1)^(th) secret key to the recording medium and thetransmission medium,

wherein the chain encryption process using at least one of the firstsecret key through the n^(th) secret key includes a first step fortransforming the secret key, prior to the encryption, using an attributevalue dependent on details of a CRL which is an information list forspecifying a revoked public key certificate.

Regarding an encryption method using the medium ID;

an encrypting method in an encryption device that encrypts a digitalproduction and outputs the encrypted digital production to a recordingmedium or a transmission medium, the encrypting method includes:

(1) an encrypting step for repeating a chain encryption andtransformation process, for a first secret key thorough an (n−1)^(th)secret key, of transforming a medium identification information with aone-way function using the first secret key out of n (≧1) secret keys,encrypting the digital production using the transformed mediumidentification information, and in the case of n≧2 encrypting an(i−1)^(th) secret key using an i (2≦i≦n)^(th) secret key; and

(2) an outputting step for outputting the encrypted first secret keythrough the (n−1)^(th) secret key to the recording medium and thetransmission medium,

wherein the chain encryption or transformation process using at leastone of the first secret key through the n^(th) secret key includes asecond step for (1) transforming the secret key, prior to theencryption, using an attribute valued dependent on details of a CRLwhich is an information list for specifying a revoked public keycertificate, or (2) transforming the medium identification informationobtained by the transformation with the attribute value.

Regarding the decrypting method using a content;

a decrypting method in a decrypting device that decrypts an encrypteddigital production, the decrypting method includes:

(1) a first decrypting step for repeating a chain decrypting process,for n (≧2) encrypted secret keys, of obtaining the encrypted digitalproduction, the n encrypted secret keys and a CRL which is aninformation list for specifying a revoked public key certificate via arecording medium or a transmission medium, and decrypting a firstencrypted secret key out of the n encrypted secret keys using apre-holding secret key, and further decrypting an encrypted secondsecret key with the obtained first secret key; and

(2) a second decrypting step for decrypting the digital production withthe n^(th) secret key obtained by the final decrypting,

wherein at least one of the chain decrypting processes using the firstsecret key through the n^(th) secret key includes a third step fortransforming the secret key used for the decrypting, prior to thedecrypting, using an attribute value dependent on details of the CRL.

Regarding the decrypting method using a medium ID;

a decrypting method in a decrypting device that decrypts an encrypteddigital production, the decrypting method includes:

(1) a first decrypting step for repeating a chain decrypting process,for n (≧1) encrypted secret keys, of obtaining the encrypted digitalproduction, a medium identification information, n (≧1) encrypted secretkeys and a CRL which is an information list for specifying a revokedpublic key certificate via a recording medium or a transmission medium,decrypting a first secret keys using a pre-holding secret key, and inthe case of n (≧2), decrypting an encrypted second secret key with theobtained first secret key.

(2) a second decrypting step for transforming the medium identificationinformation by a one-way function using the n^(th) secret key used forthe final decrypting, and decrypting the digital production with thetransformed medium identification information,

wherein at least one of the chain decrypting processes using the firstsecret key though the n^(th) secret key or the transformation of themedium identification information includes a forth step for (1)transforming the secret key used for the decrypting or thetransformation, prior to the decrypting or the transformation, using anattribute value dependent on details of the CRL or (2) transforming themedium identification information obtained by the transformation usingthe attribute value.

As stated above, the encryption device of the copyright protectionsystem, the AV server, the decrypting device and the client can use aserver, a set top box, a personal computer, a digital television, a VTR,a DVD recorder, a printer, a cellular phone and a personal digitalassistance for delivering and receiving the content via the recordingmedium or the transmission medium as a computer device.

1. A secret key generating device for outputting a secret key to adecrypting device, which decrypts, using the secret key, an encrypteddigital production, the secret key generating device comprising: anobtaining unit operable to obtain an encrypted first secret key and aCRL, from one of a recording medium and a transmission medium, theencrypted first secret key being generated by encrypting a first secretkey using a transformed second secret key, the first secret key beingused for encrypting the digital production, the CRL being an informationlist specifying a revoked public key certificate, the transformed secondsecret key being transformed from a second secret key using an attributevalue calculated based on the CRL, and the second secret key beingspecific to the secret key generating device; a second secret key memoryunit operable to store the second secret key that is specific to thesecret key generating device; an attribute value calculating unitoperable to calculate the attribute value based on the CRL obtained fromthe one of the recording medium and the transmission medium; atransforming unit operable to transform the second secret key, using theattribute value calculated by the attribute value calculating unit andusing the second secret key stored in the second secret key memory unit,into the transformed second secret key used for encrypting the firstsecret key; a first decrypting unit operable to decrypt the encryptedfirst secret key, using the transformed second secret key transformed bythe transforming unit, to obtain the first secret key; and an outputtingunit operable to output, to the decrypting device, the first secret keyobtained by the first decrypting unit, as the secret key used fordecrypting the encrypted digital production, wherein the encrypted firstsecret key is associated with the CRL via the transformed second secretkey.
 2. The secret key generating device according to claim 1, furthercomprising a verification unit operable to verify whether or not thefirst secret key obtained by the first decrypting unit is qualified-forencrypting the digital production.
 3. The secret key generating deviceaccording to claim 2, wherein the verification unit includes: aconfirmation data obtaining unit operable to obtain confirmation data,which is a criterion for verifying whether or not the first secret keyis qualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a confirmation datadecrypting unit operable to decrypt the obtained confirmation data usingthe first secret key obtained by the first decrypting unit, wherein theverification unit is operable to verify whether or not the decryptedconfirmation data obtained by the confirmation data decrypting unitmatches predetermined fixed-pattern data, and is operable to determinethat the first secret key is qualified upon the verification unitverifying that the decrypted confirmation data matches the predeterminedfixed-pattern data.
 4. The secret key generating unit according to claim2, wherein the verification unit includes: a confirmation data obtainingunit operable to obtain confirmation data, which is a criterion forverifying whether or not the first secret key is qualified, theconfirmation data being obtained from one of the recording medium andthe transmission medium; and a first secret key encryption unit operableto encrypt the first secret key obtained by the first decrypting unitusing the first secret key, wherein the verification unit is operable toverify whether or not the first secret key encrypted by the first secretkey encryption unit matches the confirmation data obtained by theconfirmation data obtaining unit, and is operable to determine that thefirst secret key is qualified upon the verification unit verifying thatthe first secret key encrypted by the first secret key encryption unitmatches the confirmation data.
 5. The secret key generating unitaccording to claim 2, wherein the verification unit includes: aconfirmation data obtaining unit operable to obtain confirmation data,which is a criterion verifying whether or not the first secret key isqualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a confirmation datadecrypting unit operable to decrypt the obtained confirmation data usingthe first secret key obtained by the first decrypting unit, wherein theverification unit is operable to verify whether or not a value obtainedby the confirmation data decrypting unit decrypting the confirmationdata matches the first secret key obtained by the first decrypting unit,and is operable to determine that the first secret key is qualified uponthe verification unit verifying that the value obtained by theconfirmation data decrypting unit matches the first secret key obtainedby the first decrypting unit.
 6. The secret key generating deviceaccording to claim 1, wherein the attribute value calculating unitcalculates a hashing value of the CRL, as the attribute value, and thetransforming unit transforms the second secret key into the transformedsecond secret key by carrying out an exclusive OR between the secondsecret key and the hashing value.
 7. A secret key generating device foroutputting a secret key to a decrypting device, which decrypts, usingthe secret key, an encrypted digital production, the secret keygenerating device comprising: an obtaining unit operable to obtain anencrypted first secret key and a CRL, from one of a recording medium anda transmission medium, the encrypted first secret key being associatedwith a transformed first secret key, the first secret key being used forencrypting the digital production, the CRL being an information listspecifying a revoked public key certificate, the transformed firstsecret key being transformed from a first secret key using an attributevalue calculated based on the CRL, the first secret key being encryptedusing a second secret key, and the second secret key being specific tothe secret key generating device; a second secret key memory unitoperable to store the second secret key that is specific to the secretkey generating device; a first decrypting unit operable to decrypt theencrypted first secret key, using the second secret key stored-in thesecond secret key memory unit, to obtain the first secret key; anattribute value calculating unit operable to calculate the attributevalue based on the CRL obtained from the one of the recording medium andthe transmission medium; a transforming unit operable to transform thefirst secret key, using the attribute value calculated by the attributevalue calculating unit and using the first secret key obtained by thefirst decrypting unit, into the transformed first secret key used forencrypting the digital production; and an outputting unit operable tooutput, to the decrypting device, the transformed first secret keytransformed by the transforming unit, as the secret key used fordecrypting the encrypted digital production, wherein the encrypted firstsecret key is associated with the CRL via the transformed first secretkey.
 8. The secret key generating device according to claim 7, furthercomprising a verification unit operable to verify whether or not thefirst secret key transformed by the transforming unit is qualified forencrypting of the digital production.
 9. The secret key generatingdevice according to claim 8, wherein the verification unit includes: aconfirmation data obtaining unit operable to obtains confirmation data,which is a criterion for verifying whether or not the first secret keyis qualified, the confirmation data being obtained from one of therecording medium and the transmission medium; a confirmation datadecrypting unit operable to decrypt the obtained confirmation data-usingthe transformed first secret key transformed by the transforming unit,wherein the verification unit is operable to verify whether or not thedecrypted confirmation data obtained by the confirmation data decryptingunit matches predetermined fixed-pattern data, and is operable todetermine that the first secret key is qualified upon the verificationunit verifying that the decrypted confirmation data matches thepredetermined fixed-pattern data.
 10. The secret key generating deviceaccording to claim 8, wherein the verification unit includes: aconfirmation data obtaining unit operable to obtain confirmation data,which is a criterion for verifying whether or not the first secret keyis qualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a first secret keyencryption unit operable to encrypt the transformed first secret keytransformed by the transforming unit using the first secret key, whereinthe verification unit is operable to verify whether or not the firstsecret key encrypted by the first secret key encryption unit matches theconfirmation data obtained by the confirmation data obtaining unit, andis operable to determine that the first secret key is qualified upon theverification unit verifying that the first secret key encrypted by thefirst secret key encryption unit matches the confirmation data.
 11. Thesecret key generating device according to claim 8, wherein theverification unit includes: a confirmation data obtaining unit operableto obtain confirmation data, which is a criterion for verifying whetheror not the first secret key is qualified, the confirmation data beingobtained from one of the recording medium and the transmission medium;and a confirmation data decrypting unit operable to decrypt the obtainedconfirmation data using the transformed first secret key transformed bythe transforming unit, wherein the verification unit is operable toverify whether or not a value obtained by the confirmation datadecrypting unit decrypting the confirmation data matches the transformedfirst secret key transformed by the transforming unit, and is operableto determine that the first secret key is qualified upon theverification unit verifying that the value obtained by the confirmationdata decrypting unit matches the first secret key obtained by the firstdecrypting unit.
 12. A secret key generating device for outputting asecret key to a decrypting device, which decrypts, using the secret key,an encrypted digital production, the secret key generating devicecomprising: an obtaining unit operable to obtain medium identificationinformation and a CRL, from one of a recording medium and a transmissionmedium, the medium identification information being associated with asecret key, the secret key being used for encrypting the digitalproduction, the CRL being an information list specifying a revokedpublic key certificate, the secret key being generated based on themedium identification information and a transformed first secret key,the transformed first secret key being transformed from the first secretkey using an attribute value calculated based on the CRL, and the firstsecret key being specific to the decrypting device; a first secret keymemory unit operable to store the first secret key that is specific tothe decrypting device; an attribute value calculating unit operable tocalculate the attribute value based on the CRL obtained from the one ofthe recording medium and the transmission medium; a transforming unitoperable to transform the first secret key, using the attribute valuecalculated by the attribute value calculating unit and using the firstsecret key stored in the first secret key memory unit, into thetransformed first secret key; a function transformation unit operable totransform the medium identification information obtained by theobtaining unit and the transformed first secret key transformed by thetransforming unit, by inputting the medium identification informationand the transformed first secret key into a one-way function; and anoutputting unit operable to output, to the decrypting device, thefunction value obtained from the function transformation unit, as thesecret key used for decrypting the encrypted digital production, whereinthe medium identification information is associated with the CRL via thetransformed first secret key.
 13. A secret key generating device foroutputting a secret key to a decrypting device, which decrypts, usingthe secret key, an encrypted digital production, the secret keygenerating device comprising: an obtaining unit operable to obtainmedium identification information and a CRL, from one of a recordingmedium and a transmission medium, the medium identification informationbeing associated with a secret key, the secret key being used forencrypting the digital production, the CRL being an information listspecifying a revoked public key certificate, the secret key beinggenerated as a transformed function value, the transformed functionvalue being transformed from a function value using an attribute valuecalculated based on the CRL, the function value being calculated basedon the medium identification information and a first secret key using aone-way function, and the first secret key being specific to thedecrypting device; a first secret key memory unit operable to store thefirst secret key that is specific to the decrypting device; a functiontransformation unit operable to transform the medium identificationinformation obtained from the obtaining unit and the first secret keystored in the first secret key memory unit, by inputting the mediumidentification information and the first secret key into the one-wayfunction; an attribute value calculating unit operable to calculate theattribute value based on the CRL obtained from the one of the recordingmedium and the transmission medium; a transforming unit operable totransform the function value, using the attribute value calculated bythe attribute value calculating unit and the function value, into thetransformed function value; and an outputting unit operable to output,to the decrypting device, the transformed attribute value transformed bythe transforming unit, as the secret key used for decrypting theencrypted digital production, wherein the medium identificationinformation is associated with the CRL via the transformed functionvalue.
 14. A secret key generating device for outputting a secret key toa decrypting device which decrypts, using the secret key, an encrypteddigital production, the secret key generating device comprising: anobtaining unit operable to obtain an encrypted first secret key, anencrypted second secret key and a CRL, from one of a recording mediumand a transmission medium, the encrypted first secret key beinggenerated by encrypting a first secret key using a second secret key,the first secret key being used for encrypting the digital production,the encrypted second secret key being generated by encrypting the secondsecret key using a transformed third secret key, the second secret keybeing used for encrypting the first secret key, the CRL being aninformation list specifying a revoked public key certificate, thetransformed third secret key being transformed from a third secret keyusing an attribute value calculated based on the CRL, and the thirdsecret key being specific to the secret key generating device; a thirdsecret key memory unit operable to store the third secret key that isspecific to the secret key generating device; an attribute valuecalculating unit operable to calculate the attribute value based on theCRL obtained from the one of the recording medium and the transmissionmedium; a transforming unit operable to transform the third secret key,using the attribute value calculated by the attribute value calculatingunit and using the third secret key stored in the third secret keymemory unit, into the transformed third secret key used for encryptingthe second secret key; a first decrypting unit operable to decrypt theencrypted second secret key, using the transformed third secret keytransformed by the transforming unit, to obtain the second secret key; asecond decrypting unit operable to decrypt the encrypted first secretkey, using the second secret key obtained by the first decrypting unit,to obtain the first secret key; and an outputting unit operable tooutput, to the decrypting device, the first secret key obtained by thesecond decrypting unit, as the secret key used for decrypting theencrypted digital production, wherein the encrypted second secret key isassociated with the CRL via the transformed third secret key.
 15. Thesecret key generating device according to claim 14, further comprising averification unit operable to verify whether or not the second secretkey obtained by the first decrypting unit is qualified for encryptingthe second secret key.
 16. The secret key generating device according toclaim 15, wherein the verification unit includes: a confirmation dataobtaining unit operable to obtain confirmation data, which is acriterion for verifying whether or not the second secret key isqualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a confirmation datadecrypting unit operable to decrypt the obtained confirmation data usingthe second secret key obtained by the first decrypting unit, wherein theverification unit is operable to verify whether or not the decryptedconfirmation data obtained by the confirmation data decrypting unitmatches predetermined fixed-pattern data, and is operable to determinethat the second secret key is qualified upon the verification unitverifying that the decrypted confirmation data matches the predeterminedfixed-pattern data.
 17. The secret key generating unit according toclaim 15, wherein the verification unit includes: a confirmation dataobtaining unit operable to obtain confirmation data, which is acriterion for verifying whether or not the second secret key isqualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a second secret keyencryption unit operable to encrypt the second secret key obtained bythe first decrypting unit using the second secret key, wherein theverification unit is operable to verify whether or not the second secretkey encrypted by the second secret key encryption unit matches theconfirmation data obtained by the confirmation data obtaining unit, andis operable to determine that the second secret key is qualified uponthe verification unit verifying that the second secret key encrypted bythe second secret key encryption unit matches the confirmation data. 18.The secret key generating unit according to claim 15, wherein theverification unit includes: a confirmation data obtaining unit operableto obtain confirmation data, which is a criterion for verifying whetheror not the second secret key is qualified, the confirmation data beingobtained from one of the recording medium and the transmission medium;and a confirmation data decrypting unit operable to decrypt the obtainedconfirmation data-using the second secret key obtained by the firstdecrypting unit, wherein the verification unit is operable to verifywhether or not a value obtained by the confirmation data decrypting unitdecrypting the confirmation data matches the second secret key obtainedby the first decrypting unit, and is operable to determine that thesecond secret key is qualified upon the verification unit verifying thatthe value obtained by the confirmation data decrypting unit matches thesecond secret key obtained by the first decrypting unit.
 19. A secretkey generating device for outputting a secret key to a decrypting devicewhich decrypts, using the secret key, an encrypted digital production,the secret key generating device comprising: an obtaining unit operableto obtain an encrypted first secret key, an encrypted second secret key,and a CRL, from one of a recording medium and a transmission medium, theencrypted first secret key being generated by encrypting a first secretkey using a transformed second secret key, the first secret key beingused for encrypting the digital production, the encrypted second secretkey being associated with the transformed second secret key, the CRLbeing an information list specifying a revoked public key certificate,the transformed second secret key being transformed from the secondsecret key using an attribute value calculated based on the CRL, thesecond secret key being encrypted using a third secret key, and thethird secret key being specific to the secret key generating device; athird secret key memory unit operable to store the third secret key thatis specific to the secret key generating device; a first decrypting unitoperable to decrypt the encrypted second secret key, using the thirdsecret key stored in the third secret key memory unit, to obtain thesecond key; an attribute value calculating unit operable to calculatethe attribute value based on the CRL obtained from the one of therecording medium and the transmission medium; a transforming unitoperable to transform the second secret key, using the attribute valuecalculated by the attribute value calculating unit and using the secondsecret key obtained by the first decrypting unit, into the transformedsecond secret key used for encrypting the digital production; a seconddecrypting unit operable to decrypt the encrypted first secret key,using the transformed second secret key transformed by the transformingunit, to obtain the first secret key; and an outputting unit operable tooutput, to the decrypting device, the first secret key obtained by thesecond decrypting unit, as the secret key used for decrypting theencrypted digital production, wherein the encrypted first secret key isassociated with the CRL via the transformed second secret key.
 20. Asecret key generating device for outputting a secret key to a decryptingdevice which decrypts, using the secret key, an encrypted digitalproduction, the secret key generating device comprising: an obtainingunit operable to obtain medium identification information, an encryptedfirst secret key, and a CRL, from one of a recording medium and atransmission medium, a function value being used a secret key forencrypting the digital production, the function value being calculatedusing a one-way function based on the medium identification informationand the first secret key, the encrypted first secret key being generatedby encrypting the first secret key using the transformed second secretkey, the CRL being an information list specifying a revoked public keycertificate, the transformed second secret key being transformed from asecond secret key using an attribute value calculated based on the CRL,and the second secret key being specific to the secret key generatingdevice; a second secret key memory unit operable to store the secondsecret key that is specific to the secret key generating device; anattribute value calculating unit operable to calculate the attributevalue based on the CRL obtained from the one of the recording medium andthe transmission medium; a transforming unit operable to transform thesecond secret key, using the attribute value calculated by the attributevalue calculating unit and using the second secret key stored in thesecond secret key memory unit, into the transformed second secret key; afirst decrypting unit operable to decrypt the encrypted first secretkey, using the transformed second secret key transformed by thetransforming unit, to obtain the first secret key; a functiontransformation unit operable to transform the medium identificationinformation obtained from the obtaining unit and the first secret keyobtained by the first decrypting unit, by inputting the mediumidentification information obtained from the obtaining unit and thefirst secret key into the one-way function; and an outputting unitoperable to output, to the decrypting device, the function valueobtained by the function transformation unit, as the secret key used fordecrypting the digital production, wherein the medium identificationinformation is associated with the encrypted first secret key and theCRL via the transformed second secret key.
 21. The secret key generatingdevice according to claim 20, further comprising a verification unitoperable to verify whether or not the first secret key obtained by thefirst decrypting unit is qualified for encrypting the mediumidentification information.
 22. The secret key generating deviceaccording to claim 21, wherein the verification unit includes: aconfirmation data obtaining unit operable to obtain confirmation data,which is a criterion for verifying whether or not the first secret keyis qualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a confirmation datadecrypting unit operable to decrypt the obtained confirmation data usingthe first secret key obtained by the first decrypting unit, wherein theverification unit is operable to verify whether or not the decryptedconfirmation data obtained by the confirmation data decrypting unitmatches predetermined fixed-pattern data, and is operable to determinethat the first secret key is qualified upon the verification unitverifying that the decrypted confirmation data matches the predeterminedfixed-pattern data.
 23. The secret key generating unit according toclaim 21, wherein the verification unit includes: a confirmation dataobtaining unit operable to obtain confirmation data, which is acriterion for verifying whether or not the first secret key isqualified, the confirmation data being obtained from one of therecording medium and the transmission medium; and a first secret keyencryption unit operable to encrypt the first secret key obtained by thefirst decrypting unit using the first secret key, wherein theverification unit is operable to verify whether or not the first secretkey encrypted by the first secret key encryption unit matches theconfirmation data obtained by the confirmation data obtaining unit, andis operable to determine that the first secret key is qualified upon theverification unit verifying that the first secret key encrypted by thefirst secret key encryption unit matches the confirmation data.
 24. Thesecret key generating unit according to claim 21, wherein theverification unit includes: a confirmation data obtaining unit operableto obtain confirmation data, which is a criterion for verifying whetheror not the first secret key is qualified, the confirmation beingobtained from one of the recording medium and the transmission medium;and a confirmation data decrypting unit operable to decrypt the obtainedconfirmation data using the first secret key obtained by the firstdecrypting unit, wherein the verification unit is operable to verifywhether or not a value obtained by the confirmation data decrypting unitdecrypting the confirmation data matches the first secret key obtainedby the first decrypting unit, and is operable to determine that thefirst secret key is qualified upon the verification unit verifying thatthe value obtained by the confirmation data decrypting unit matches thefirst secret key obtained by the first decrypting unit.
 25. A secret keygenerating device for outputting a secret key to a decrypting device,which decrypts, using the secret key, an encrypted digital production,the secret key generating device comprising: an obtaining unit operableto obtain medium identification information, an encrypted first secretkey, and a CRL from one of a recording medium and a transmission medium,a transformed function value being used as a secret key for encryptingthe digital production, the CRL being an information list specifying arevoked public key certificate, the transformed function value beingtransformed from a function value using an attribute value calculatedbased on the CRL, the function value being calculated using a one-wayfunction based on the medium identification information and a firstsecret key, the encrypted first secret key being generated by encryptingthe first secret key using a second secret key, and the second secretkey being specific to the secret key generating device; a second secretkey memory unit operable to store the second secret key that is specificto the decrypting device; a first decrypting unit operable to decryptthe encrypted first secret key, using the second secret key stored inthe second secret key memory unit; a function transformation unitoperable to transform the medium identification information obtainedfrom the obtaining unit and the first secret key decrypted by the firstdecrypting unit, by inputting the medium identification information andthe first secret key into a one-way function; an attribute valuecalculating unit operable to calculate the attribute value based on theCRL obtained from the one of the recording medium and the transmissionmedium; a transforming unit operable to transform the function value,using the attribute value calculated by the attribute value calculatingunit and transformed by the function transformation unit, into thetransformed function value; and an outputting unit operable to output,to the decrypting device, the transformed function value obtained fromthe function transformation unit, as the secret key for decrypting theencrypted digital production, wherein the medium identificationinformation is associated with the encrypted first secret key and theCRL via the transformed function value.